top of page
  • Frank Tian

Updated Guideline for BaaS

On June 6th, The Fed, OCC, and FDIC jointly released an updated guideline for banks’ third party risk management.

This has been highly anticipated when regulators drummed up the beats around partnerships between banks and fintech/non-bank entities since last year.

It started with the OCC Chief’s speech in September, followed by the Treasury report in November, remarks from Fed officials in December, and enforcement actions against banks like Blue Ridge/Cross River.

The guideline does not relieve regulatory duties from small banks - “the guidance is relevant to all banking organizations”.

However, it does acknowledge that the risk management processes should consider “the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships”.

The guideline is “principles-based”. It does not mean to be prescriptive, but has details to cover all aspects of third party management.

Some components:

📍The bank needs to evaluate the overall risk management capability of a third party.

📍The bank needs to have ongoing monitoring via reports, visits/meetings, and testing.

📍The bank needs to evaluate the risk associated with the volume and type of subcontractors a third party deploys.

📍When circumstances warrant, a regulator will examine the functions/operations a third party performs on behalf the bank and issue enforcement actions if necessary.

What does all of this mean?

As Uncle Ben told Peter Parker, "With great power comes great responsibility."

The bank/non-bank partnerships have gained strong growth in recent years. The collective critical scale warrants more prudent practices. Hence the updated guideline.

The risk management scope spreads over multiple parties, but it does not necessarily diminish the work for the bank.

Arguably it takes greater efforts - the bank needs to uncover information from its partners and manage their behaviors. Many such partners have limited history and have not dealt with financial products before.

Besides unmitigated regulatory duties, it requires operational resilience to manage the diverse partnerships, while the bank does not have the cross-sell synergy as a full-service bank.

The regulatory action signals the Banking-as-a-Service model begins to enter maturity.

Recent Posts

See All

🔎 BaaS Partnership in Regulatory Focus

Last week, Blue Ridge Bank named a new president for its fintech division. It makes perfect sense to bring in someone with direct BaaS partnership supervisory experience. The community bank signed a r

🙅‍♂️ Loan Application Not Available

A newly launched loan product between a bank and its non-bank partner has suspended applications for days. According to unnamed sources, the program quickly runs into a fraud problem. A few thoughts -


bottom of page